1. Patchew
  2. EDK2
  3. View series

[edk2-devel] [edk2-platforms PATCH v2] Platform/RaspberryPi: Enable default Secure Boot variables initialization

Grzegorz Bernacki posted 1 patch 2 years, 11 months ago
Failed in applying to current master (apply log)
Platform/RaspberryPi/RPi4/RPi4.dsc | 5 ++++-
Platform/RaspberryPi/RPi4/RPi4.fdf | 2 ++
2 files changed, 6 insertions(+), 1 deletion(-)
[edk2-devel] [edk2-platforms PATCH v2] Platform/RaspberryPi: Enable default Secure Boot variables initialization
Posted by Grzegorz Bernacki 2 years, 11 months ago 
This commit allows to initialize Secure Boot default key
and databases from data embedded in firmware binary.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
 Platform/RaspberryPi/RPi4/RPi4.dsc | 5 ++++-
 Platform/RaspberryPi/RPi4/RPi4.fdf | 2 ++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/Platform/RaspberryPi/RPi4/RPi4.dsc b/Platform/RaspberryPi/RPi4/RPi4.dsc
index d8c6fdd4bd..1fb4df0b81 100644
--- a/Platform/RaspberryPi/RPi4/RPi4.dsc
+++ b/Platform/RaspberryPi/RPi4/RPi4.dsc
@@ -164,7 +164,7 @@
 !if $(SECURE_BOOT_ENABLE) == TRUE
   TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
   AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
-
+  SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
   # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree
   PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
 !else
@@ -217,6 +217,7 @@
   MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf
   HiiLib|MdeModulePkg/Library/UefiHiiLib/UefiHiiLib.inf
   ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
+  ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
   FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf
 
 [LibraryClasses.common.UEFI_DRIVER]
@@ -612,6 +613,8 @@
       NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
   }
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
+  SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
 !else
   MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
 !endif
diff --git a/Platform/RaspberryPi/RPi4/RPi4.fdf b/Platform/RaspberryPi/RPi4/RPi4.fdf
index 1e13909a57..0e43d24c7a 100644
--- a/Platform/RaspberryPi/RPi4/RPi4.fdf
+++ b/Platform/RaspberryPi/RPi4/RPi4.fdf
@@ -189,7 +189,9 @@ READ_LOCK_STATUS   = TRUE
   INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
   INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
 !if $(SECURE_BOOT_ENABLE) == TRUE
+!include SecurityPkg/SecureBootDefaultKeys.fdf.inc
   INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+  INF SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
 !endif
   INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
   INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf
-- 
2.25.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#75901): https://edk2.groups.io/g/devel/message/75901
Mute This Topic: https://groups.io/mt/83232294/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [edk2-platforms PATCH v2] Platform/RaspberryPi: Enable default Secure Boot variables initialization
Posted by Pete Batard 2 years, 11 months ago 
This whole patch series looks fine to me.

I have tested it on Raspberry Pi 4, and I have some changes lined up to 
ensure that the next Pi 4 firmware we produce, after this series has 
been integrated, can use the new feature.

For the record, since we are using an automated build system (and the Pi 
4 can't exactly be considered as a secure platform anyway), my plan is 
to discard the PK's private key and include only MS KEK and DBs for the 
time being.

Basically, it should go something like this:

openssl req -new -x509 -newkey rsa:2048 -subj "/CN=Raspberry Pi Platform 
Key/" -keyout /dev/null -outform DER -out keys/pk.cer -days 7300 -nodes 
-sha256
curl -L https://go.microsoft.com/fwlink/?LinkId=321185 -o keys/ms_kek.cer
curl -L https://go.microsoft.com/fwlink/?linkid=321192 -o keys/ms_db1.crt
curl -L https://go.microsoft.com/fwlink/?linkid=321194 -o keys/ms_db2.crt
curl -L 
https://uefi.org/sites/default/files/resources/dbxupdate_arm64.bin -o 
keys/arm64_dbx.bin

and then use the files above for the DEFAULT_FILE vars.

With this, I was able to get the default keys installed using the new 
Secure Boot menu, and validated that something like the Windows 
bootloader would load properly, whereas an unsigned bootloader such as 
the GRUB one wouldn't.

Please find my formal R-b for this patch below:

On 2021.06.01 14:12, Grzegorz Bernacki wrote:
> This commit allows to initialize Secure Boot default key
> and databases from data embedded in firmware binary.
> 
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> ---
>   Platform/RaspberryPi/RPi4/RPi4.dsc | 5 ++++-
>   Platform/RaspberryPi/RPi4/RPi4.fdf | 2 ++
>   2 files changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/Platform/RaspberryPi/RPi4/RPi4.dsc b/Platform/RaspberryPi/RPi4/RPi4.dsc
> index d8c6fdd4bd..1fb4df0b81 100644
> --- a/Platform/RaspberryPi/RPi4/RPi4.dsc
> +++ b/Platform/RaspberryPi/RPi4/RPi4.dsc
> @@ -164,7 +164,7 @@
>   !if $(SECURE_BOOT_ENABLE) == TRUE
>     TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
>     AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> -
> +  SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
>     # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree
>     PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
>   !else
> @@ -217,6 +217,7 @@
>     MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf
>     HiiLib|MdeModulePkg/Library/UefiHiiLib/UefiHiiLib.inf
>     ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
> +  ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
>     FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf
>   
>   [LibraryClasses.common.UEFI_DRIVER]
> @@ -612,6 +613,8 @@
>         NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
>     }
>     SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> +  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> +  SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
>   !else
>     MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
>   !endif
> diff --git a/Platform/RaspberryPi/RPi4/RPi4.fdf b/Platform/RaspberryPi/RPi4/RPi4.fdf
> index 1e13909a57..0e43d24c7a 100644
> --- a/Platform/RaspberryPi/RPi4/RPi4.fdf
> +++ b/Platform/RaspberryPi/RPi4/RPi4.fdf
> @@ -189,7 +189,9 @@ READ_LOCK_STATUS   = TRUE
>     INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
>     INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
>   !if $(SECURE_BOOT_ENABLE) == TRUE
> +!include SecurityPkg/SecureBootDefaultKeys.fdf.inc
>     INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> +  INF SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
>   !endif
>     INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
>     INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf
> 

Reviewed-by: Pete Batard <pete@akeo.ie>
Tested-by: Pete Batard <pete@akeo.ie>


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#75993): https://edk2.groups.io/g/devel/message/75993
Mute This Topic: https://groups.io/mt/83232294/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [edk2-platforms PATCH v2] Platform/RaspberryPi: Enable default Secure Boot variables initialization
Posted by Sunny Wang 2 years, 11 months ago 
Internally reviewed this patch before sending the edk2 mailing list and it looks good to me.
Reviewed-by: Sunny Wang <sunny.wang@arm.com

-----Original Message-----
From: Grzegorz Bernacki <gjb@semihalf.com>
Sent: Tuesday, June 1, 2021 9:12 PM
To: devel@edk2.groups.io
Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com; jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com; Grzegorz Bernacki <gjb@semihalf.com>
Subject: [edk2-platforms PATCH v2] Platform/RaspberryPi: Enable default Secure Boot variables initialization

This commit allows to initialize Secure Boot default key
and databases from data embedded in firmware binary.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
 Platform/RaspberryPi/RPi4/RPi4.dsc | 5 ++++-
 Platform/RaspberryPi/RPi4/RPi4.fdf | 2 ++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/Platform/RaspberryPi/RPi4/RPi4.dsc b/Platform/RaspberryPi/RPi4/RPi4.dsc
index d8c6fdd4bd..1fb4df0b81 100644
--- a/Platform/RaspberryPi/RPi4/RPi4.dsc
+++ b/Platform/RaspberryPi/RPi4/RPi4.dsc
@@ -164,7 +164,7 @@
 !if $(SECURE_BOOT_ENABLE) == TRUE
   TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
   AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
-
+  SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
   # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree
   PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
 !else
@@ -217,6 +217,7 @@
   MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf
   HiiLib|MdeModulePkg/Library/UefiHiiLib/UefiHiiLib.inf
   ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
+  ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
   FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf

 [LibraryClasses.common.UEFI_DRIVER]
@@ -612,6 +613,8 @@
       NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
   }
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
+  SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
 !else
   MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
 !endif
diff --git a/Platform/RaspberryPi/RPi4/RPi4.fdf b/Platform/RaspberryPi/RPi4/RPi4.fdf
index 1e13909a57..0e43d24c7a 100644
--- a/Platform/RaspberryPi/RPi4/RPi4.fdf
+++ b/Platform/RaspberryPi/RPi4/RPi4.fdf
@@ -189,7 +189,9 @@ READ_LOCK_STATUS   = TRUE
   INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
   INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
 !if $(SECURE_BOOT_ENABLE) == TRUE
+!include SecurityPkg/SecureBootDefaultKeys.fdf.inc
   INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+  INF SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
 !endif
   INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
   INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf
--
2.25.1

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#76052): https://edk2.groups.io/g/devel/message/76052
Mute This Topic: https://groups.io/mt/83232294/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [edk2-platforms PATCH v2] Platform/RaspberryPi: Enable default Secure Boot variables initialization
Posted by Samer El-Haj-Mahmoud 2 years, 9 months ago 
Reviewed-By: Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>

> -----Original Message-----
> From: Grzegorz Bernacki <gjb@semihalf.com>
> Sent: Tuesday, June 1, 2021 9:12 AM
> To: devel@edk2.groups.io
> Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud
> <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang
> <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com;
> jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com;
> lersek@redhat.com; Grzegorz Bernacki <gjb@semihalf.com>
> Subject: [edk2-platforms PATCH v2] Platform/RaspberryPi: Enable default
> Secure Boot variables initialization
>
> This commit allows to initialize Secure Boot default key
> and databases from data embedded in firmware binary.
>
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> ---
>  Platform/RaspberryPi/RPi4/RPi4.dsc | 5 ++++-
>  Platform/RaspberryPi/RPi4/RPi4.fdf | 2 ++
>  2 files changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/Platform/RaspberryPi/RPi4/RPi4.dsc
> b/Platform/RaspberryPi/RPi4/RPi4.dsc
> index d8c6fdd4bd..1fb4df0b81 100644
> --- a/Platform/RaspberryPi/RPi4/RPi4.dsc
> +++ b/Platform/RaspberryPi/RPi4/RPi4.dsc
> @@ -164,7 +164,7 @@
>  !if $(SECURE_BOOT_ENABLE) == TRUE
>
> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTp
> mMeasurementLib.inf
>    AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> -
> +
> SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo
> otVariableLib.inf
>    # re-use the UserPhysicalPresent() dummy implementation from the ovmf
> tree
>
> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.in
> f
>  !else
> @@ -217,6 +217,7 @@
>
> MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemor
> yAllocationLib.inf
>    HiiLib|MdeModulePkg/Library/UefiHiiLib/UefiHiiLib.inf
>    ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
> +  ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
>    FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf
>
>  [LibraryClasses.common.UEFI_DRIVER]
> @@ -612,6 +613,8 @@
>
> NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.i
> nf
>    }
>
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> Dxe.inf
> +  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> +
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.inf
>  !else
>    MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
>  !endif
> diff --git a/Platform/RaspberryPi/RPi4/RPi4.fdf
> b/Platform/RaspberryPi/RPi4/RPi4.fdf
> index 1e13909a57..0e43d24c7a 100644
> --- a/Platform/RaspberryPi/RPi4/RPi4.fdf
> +++ b/Platform/RaspberryPi/RPi4/RPi4.fdf
> @@ -189,7 +189,9 @@ READ_LOCK_STATUS   = TRUE
>    INF
> MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
>    INF
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
>  !if $(SECURE_BOOT_ENABLE) == TRUE
> +!include SecurityPkg/SecureBootDefaultKeys.fdf.inc
>    INF
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> Dxe.inf
> +  INF
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.inf
>  !endif
>    INF
> MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCount
> erRuntimeDxe.inf
>    INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf
> --
> 2.25.1

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#77611): https://edk2.groups.io/g/devel/message/77611
Mute This Topic: https://groups.io/mt/83232294/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.